impacket 0.9.17

Project's main page at www.coresecurity.com

ChangeLog for 0.9.17:

1. Library improvements

   • New [MS-PAC] Implementation.
   • LDAP engine: Added extensibleMatch string filter parsing, simple paging support and handling of unsolicited notification (by @kacpern)
   • ImpactDecoder: Add EAPOL, BOOTP and DHCP packet decoders (by Michael Niewoehner)
   • Kerberos engine: DES-CBC-MD5 support to kerberos added (by @skelsec)
   • SMB3 engine: If target server supports SMB >= 3, encrypt packets by default.
   • Initial [MS-DHCPM] and [MS-EVEN6] Interface implementation by @MrAnde7son
   • Major improvements to the NetBIOS layer. More use of structure.py in there.
   • MQTT Protocol Implementation and example.
   • Tox/Coverage Support added, test cases moved to its own directory. Major overhaul.
   • Many fixes and improvements in Kerberos, SMB and DCERPC (too much to name in a few lines).

2. Examples improvements

   • GetUserSPNs.py: -request-user parameter added. Requests STs for the SPN associated to the user specified. Added support for AES Kerberoast tickets (by @elitest).
   • services.py: added port 139 support and related options (by @real-datagram).
   • samrdump.py: -csv switch to output format in CSV added.
   • ntlmrelayx.py: Major architecture overhaul. Now working mostly through dynamically loaded plugins. SOCKS proxy support for relayed connections. Specific attacks for every protocol and new protocols support (IMAP, POP3, SMTP). Awesome contributions by @dirkjanm.
   • secretsdump.py : AES(128) support for SAM hashes decryption. OldVal parameter dump added to LSA secrets dump (by @Ramzeth).
   • mssqlclient.py: Alternative method to execute cmd's on MSSQL (sp_start_job). (by @Kayzaks).
   • lsalookupsid.py: added no-pass and domain-users options (by @ropnop).

3. New Examples

   • ticketer.py: Create Golden/Silver tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, extrasids, duration, etc. Silver tickets creation by @machosec and @bransh.
   • GetADUsers.py: Gathers data about the domain's users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes.
   • getPac.py: Gets the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]'s S4USelf + User to User Kerberos Authentication.
   • getArch.py: Will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.
   • mimikatz.py: Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi.
   • sambaPipe.py: Will exploit CVE-2017-7494, uploading and executing the shared library specified by the user through the -so parameter.
   • dcomexec.py: A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects. (contributions by @byt3bl33d3r).
   • getTGT.py: Given a password, hash or aesKey, this script will request a TGT and save it as ccache.
   • getST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf other user.

As always, thanks a lot to all these contributors that make this library better every day (since last version):
@dirkjanm, @real-datagram, @kacpern, @martinuy, @xelphene, @blark, @the-useless-one, @contactr2m, @droc, @martingalloar, @skelsec, @franferrax, @FR0STBYT3, @ropnop, @MrAnde7son, @machosec, @federicoemartinez, @elitest, @symeonp, @Kanda-Motohiro, @Ramzeth, @mohemiv, @Arch4ngel, @derekchentrendmicro, @Kayzaks, @donwayo, @bao7uo, @byt3bl33d3r, @xambroz, @luzpaz, @TheNaterz, @Mikkgn, @derUnbekannt.

impacket 0.9.15

Project's main page at www.coresecurity.com

ChangeLog for 0.9.15:

1. Library improvements

• SMB3.create(): define CreateContextsOffset and CreateContextsLength when applicable (by @rrerolle)
• Retrieve user principal name from CCache file allowing to call any script with -k and just the target system (by @MrTchuss)
• Packet fragmentation for DCE RPC layer mayor overhaul.
• Improved pass-the-key attacks scenarios (by @skelsec)
• Adding a minimalistic LDAP/s implementation (supports PtH/PtT/PtK). Only search is available (and you need to
  build the search filter yourself)
• IPv6 improvements for DCERPC/LDAP and Kerberos

1. Examples improvements
   • Adding -dc-ip switch to all examples. It allows to specify what the IP for the domain is. It assumes the DC and KDC
     resides in the same server
   • secretsdump.py
     • Adding support for Win2016 TP4 in LOCAL or -use-vss mode
     • Adding -just-dc-user switch to download just a single user data (DRSUAPI mode only)
     • Support for different ReplEpoch (DRSUAPI only)
     • pwdLastSet is also included in the output file
     • New structures/flags added for 2016 TP5 PAM support
   • wmiquery.py
     • Adding -rpc-auth-level switch (by @gadio)
   • smbrelayx.py
     • Added option to specify authentication status code to be sent to requesting client (by @mgeeky)
     • Added one-shot parameter. After successful authentication, only execute the attack once for each target (per protocol)
2. New Examples
   • GetUserSPNs.py: This module will try to find Service Principal Names that are associated with normal user account.
     This is part of the kerberoast attack researched by Tim Medin (@TimMedin)
   • ntlmrelayx.py: smbrelayx.py on steroids!. NTLM relay attack from/to multiple protocols (HTTP/SMB/LDAP/MSSQL/etc)
     (by @dirkjanm)

impacket_0_9_14: impacket 0.9.14

1. Library improvements:
   • [MS-TSCH] - ATSVC, SASec and ITaskSchedulerService Interface implementations
   • [MS-DRSR] - Directory Replication Service DRSUAPI Interface implementation
   • Network Data Representation (NDR) runtime overhaul. Big performance and reliability improvements achieved
   • Unicode support (optional) for the SMBv1 stack (by @rdubourguais)
   • NTLMv2 enforcement option on SMBv1 client stack (by @scriptjunkie)
   • Kerberos support for TDS (MSSQL)
   • Extended present flags support on RadioTap class
   • Old DCERPC runtime code removed
2. Examples improvements:
   • mssqlclient.py: Added Kerberos authentication support
   • atexec.py: It now uses ITaskSchedulerService interface, adding support for Windows 2012 R2
   • smbrelayx.py:
     • If no file to upload and execute is specified (-E) it just dumps the target user's hashes by default
     • Added -c option to execute custom commands in the target (by @byt3bl33d3r)
   • secretsdump.py:
     • Active Directory hashes/Kerberos keys are dumped using [MS-DRSR]-(IDL_DRSGetNCChanges method)
       by default. VSS method is still available by using the -use-vss switch
     • Added -just-dc (Extract only NTDS.DIT NTLM Hashes and Kerberos) and -just-dc-ntlm ( only NTDS.DIT NTLM Hashes ) options
     • Added resume capability (only for NTDS in DRSUAPI mode) in case the connection drops. Use -resumefile option
     • Added Primary:CLEARTEXT Property from supplementalCredentials attribute dump
     • Add support for multiple password encryption keys (PEK) (by @s0crat)
   • goldenPac.py: Tests all DCs in domain and adding forest's enterprise admin group inside PAC
3. New examples:
   • raiseChild.py: Child domain to forest privilege escalation exploit. Implements a child-domain to forest privilege
     escalation as detailed by Sean Metcalf (@PyroTek3) at https://adsecurity.org/?p=1640. It (ab)uses the concept of Golden Tickets and ExtraSids researched and implemented by Benjamin Delpy (@gentilkiwi) in mimikatz
   • netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them (original idea by @mubix)

impacket_0_9_13: impacket 0.9.13

May 2015 - 0.9.13:

1. Library improvements

• Kerberos support for SMB and DCERPC featuring:

  a. kerberosLogin() added to SMBConnection (all SMB versions).
  b. Support for RPC_C_AUTHN_GSS_NEGOTIATE at the DCERPC layer. This will negotiate Kerberos. This also includes DCOM.
  c. Pass-the-hash, pass-the-ticket and pass-the-key support.
  d. Ccache support, compatible with Kerberos utilities (kinit, klist, etc).
  e. Support for RC4, AES128_CTS_HMAC_SHA1_96 and AES256_CTS_HMAC_SHA1_96 ciphers.
  f. Support for RPC_C_AUTHN_LEVEL_PKT_PRIVACY/RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.

• SMB3 encryption support. Pycrypto experimental version that supports
  AES_CCM is required.

• [MS-SAMR]: Supplemental Credentials support (used by secretsdump.py)

• SMBSERVER improvements:

  a. SMB2 (2.002) dialect experimental support.
  b. Adding capability to export to John The Ripper format files

• Library logging overhaul. Now there's a single logger called 'impacket'.

2. Examples improvements:

• Added Kerberos support to all modules (incl. pass-the-ticket/key)
• Ported most of the modules to the new dcerpc.v5 runtime.
• secretsdump.py: Added dumping Kerberos keys when parsing NTDS.DIT
• smbserver.py: support for SMB2 (not enabled by default)
• smbrelayx.py: Added support for MS15-027 exploitation.

3. New examples:

• goldenPac.py: MS14-068 exploit. Saves the golden ticket and also launches a
  psexec session at the target.
• karmaSMB.py: SMB Server that answers specific file contents regardless of
  the SMB share and pathname requested.
• wmipersist.py: Creates persistence over WMI. Adds/Removes WMI Event
  Consumers/Filters to execute VBS based on a WQL filter or timer specified.
• netview.py: Gets a list of the sessions opened at the remote hosts looping over the hosts found keeping track of who logged in/out from remote servers